As best as I know, this is the guideline, and the legal technicalities that
answer the question of port scanning legality versus access a system. I
definitely should not be considered an absolute authority on legality, so
please put the flamethrowers aside for now. Let me preface my comments
by saying that I am a firm believer in freedom of information and open
systems, but I also am a firm believer in justice and fairness. It is a fine line
to walk between security/paranoia/dictatorship and personal liberty.
Comments are welcomed and encouraged!
1) When you go to a site such as www.nsa.gov, connecting via port 80 and
using http, you have been authorized to access that site via the declared
method (in this case, web browser). In fine, nit-picking terms, you are
authorized by the NSA to connect to their web site via port 80, and nothing
else. This would also be the case with anonymous FTP. Again, you have
been granted specific permissions with a narrow scope. To do anything that
does not fall within that scope can be construed as "unauthorized access"
even if you are utilizing the port made available. Just because a port is open
for a specific application does not mean that it is a "public" port. And even if
it were public, there is a certain amount of responsibility that does along with
have public assets available for use.
2) Port scanning can be deemed illegal, unauthorized access along the
strictest of lines. If you have not been granted explicit access to a system,
regardless of how the ports are assigned to applications, then port scanning
violates those restrictions. However, along with this the owner of the
machine must also have policies in place that can legally back up their
description of "authorized access", etc.
3) Legality is a touchy issue right now and basically comes down to walking
a fine line. On the one hand, it is the responsibility of the owner to
thoroughly document usage policies and make the information widely
available. If that is done, then most of the time that is enough legal
precedence should a court case be opened. Negligence is not a viable
defense. On the other hand, if there is no policy in place defining "authorized
access" then there is less legal recourse for responding to an intrusion,
whether or be a port scan or an actual root compromise.
4) Analogy: If you have a piece of land that you do not want people to hunt
on (I'm from Minnesota, btw), you have to post "No Trespassing" signs all
around the border of that property. If you do not make an effort to post your
land, then you have no legal recourse should a hunter wander onto your land.
Similar methods must be used for computer systems. Unfortunately, at
least right now, there isn't any easy or nice way to post your system w/o
allowing a person to access that system. Thus, the law loosens a bit in
favour of the owner with the understanding that it is highly difficult, if not
impossible, to thoroughly and effectively post your property.
5) On the flip side: A case was tried and won by a hacker (defendant) who
broke into a site. The company had stated in the banner of the system
"Welcome to <router name>". The court ruled that saying "Welcome" was
the same as inviting someone to enter their system and play around. I
believe that this ruling was overturned later by a higher court because
adequate policy existed prohibiting certain kinds of access to the system.
Regardless, seemingly trivial things like this can work against a site.
Cheers,
-ben
At Tuesday 2/23/99 0217 AM , HD Moore wrote
>Daemor wrote
>>
>> Communicate with? Retrieve data from? Who authorizes me to connect
to
>> port 80 at www.nsa.gov? No one, it is made publicly available. No
>> authorazation is required to access the data. Port scanning simply asks
>> which services are offered by a computer. Unless measures have been
>> taken to restrict access to the data and the individual has attempted to
>> circumvent those measures then I see no crime. Being charged with a
>> misdemeanor simply for port scanning ALONE seems a bit rediculous to
>> me. I realize that scanning a host is often followed by an attack on a
>> system or is part of a search for vulnerable systems but simply asking
>> if the information is publicly available should not be a crime.
>
>Along these lines, I was wondering what the legal status of accessing
>FTP servers with anonmyous logins, wide open NFS exports, or NetBIOS
>shares. There needs to be some clarification of what is considered
>public access and what is simply misconfiguration. Anyone have
>something to contribute about what is actually legal to access and what
>is invasion? Is any resource that can be accessed without special
>authorization considered public access in the terms of the law?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Benjamin Tomhave Falcon_at_CyberSecret.com
http://falcon.cybersecret.com/default.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Here is where the road divides..."
"...and a lifetime's not too long to live as friends."
-Michael W. Smith (Pray For Me, Friends)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Received on Feb 23 1999
Intro
